January 09, 2005

Identity Theft: Why Hollywood has to take one for the team.

The Year of the Phish has passed us by, and we can relax in our new life swimming in fear of the net. Everyone now knows about the threats, even the users, but what they don't know is what happens next. My call: it's likely to get a lot worse before it gets better. And how it gets better is not going to be life as we knew it. But more on that later.

First... The Good News. There is some cold comfort for those not American. A recent report had British phishing loses under the millions. Most of the rich pickings are 'over there' where credit rules, and identity says 'ok'. And even there, the news could be construed as mildly positive for those in need of good cheer. A judge recently ruled a billion dollar payout against spammers who are identified in name, if not in face. We might never see their faces, but at least it feels good. AOL reported spam down by 75% but didn't say how they did it.

Also, news that Microsoft is to charge extra for security must make us believe they have found the magic pixie dust of security, and can now deliver an OS that's really, truly secure, this time! Either that, or they've cracked the conundrum of how to avoid the liability when the masses revolt and launch the class action suit of the century.

All this we could deal with, I guess, in time, if we could as an industry get out collective cryptographic act together and push the security models over to protecting users (one month's coding in Mozilla should do it, but oh, what a long month it's been!). But there is another problem looming, and it's ...

The Bad News: the politicians are now champing at the bit, looking for yet another reason to whip today's hobby horse of 'identify everyone' along into more lather. Yes, we can all mangle metaphors, just as easily as we can mangle security models. Let me explain.

The current project to identify the humanity of the world will make identity theft the crime of the century. It's really extraordinarily simple. The more everything rests on Identity, the more value will Identity have. And the more value it has, the more it will be worth to steal.

To get a handle on why it is more valuable, put yourself in the shoes of an identity thief. Imagine our phisher is three years old, and has a sweet tooth for data.

How much sugar can there be found in a thousand cooperating databases? Each database perfectly indexed with your one true number and bubbling over with personal details, financial details, searchable on demand. A regulatory regime that creates shared access to a thousand agencies, and that's before they start sharing with other countries?

To me, it sounds like the musical scene in the sweets factory of Chitty Chitty Bang Bang, where the over indulgent whistle of our one true identity becomes our security and dentistry nightmare. When the balance is upset, pandemonium ensues. (I'm thinking here the Year of the Dogs, and if you've seen the movie you will understand!)

Now, one could ask our politicians to stop it, and at once. But it's too late for that, they have the bits of digital identity between their teeth, and they are going to do it to us to save us from phishing! So we may as well be resigned to the fact that there will be a thousand interlinked identity databases, and a 100 times that number of people who have the ability to browse, manipulate, package, steal and sell that data. (This post is already too long, so I'm going to skip the naivete of asking the politicians to secure our identity, ok? )

A world like that means credit will come tumbling down, as we know it. Once you know everything about a person, you are that person, and no amount of digital hardware tokens or special biometric blah blahs will save the individual from being abused. So what do people do when their data becomes a phisher's candyfest?

People will withdraw from the credit system and move back to cash.This will cost them, but they will do it if they can. Further, it means that net commerce will develop more along the lines of cash trading than credit trading. In ecommerce terms, you might know this better as prepaid payment systems, but there are a variety of ways of doing it.

But the problem with all this is that a cash transaction has no relationship to any other event. It's only just tractable for one transaction: experienced FCers know that wrapping a true cash payment into a transaction when you have no relationship to fall back to in event of a hiccup is quite a serious challenge.

So we need a way to relate transactions, without infecting that way with human identity. Enter the nym, or more fully known as the psuedonymous identifier. This little thing can relate a bunch of things together without needing any special support.

We already use them extensively in email, and in chat. There are nyms like iang which are short and rather tricky to use because there are more than one of us. We can turn it into an email address, and that allows you to send a message to me using one global system, email. But spam has taught us a lesson with the email address, by wiping out the ease and reliability of the email nym ... leading to hotmail and the throw away address (for both offense and defense) and now the private email system.

Email has other problems (I predict it is dying!) which takes us to Instant Messaging (or chat or IM). The arisal of the peer-to-peer (p2p) world has taken nyms to the next level: disposable, and evolutionary.

This much we already know. P2P is the buzzword of the last 5 years. It's where the development of user activity is taking place. (When was the last time you saw an innovation in email? In browsing?)

Walking backwards ... p2p is developing the nym. And the nym is critical for creating the transactional framework for ecommerce. Which is getting beaten up badly by phishing, and there's an enveloping pincer movement developing in the strong human identity world.

But - and here's the clanger - when and as the nymous and cash based community develop and overcome their little difficulties, those aforementioned forces of darkness are going to turn on it with a vengeance. For different reasons, to be sure. For obvious example, the phishers are going to attack looking for that lovely cash. They are going to get rather rabid rather quickly when they work out what the pickings are.

Which means the mother of all security battles is looming for p2p. And unfortunately, it's one that we have to win, as otherwise, the ecommerce thing that they promised us in the late nineties is looking like a bit more like those fairy tales that don't have a happy ending. (Credit's going to be squeezed, remember.)

The good news is that I don't see why it can't be won. The great thing about p2p is the failure of standards. We aren't going to get bogged down by some dodgy 80's security model pulled out of the back pages of a superman comic, like those Mr Universe he-man kits that the guy with the funny name sold. No, this time, when the security model goes down in flames (several already have) we can simply crawl out of the wreckage, dust off and go find another fighter to fly into battle.

Let's reel off those battles already fought and won and lost. Napster, Kazaa, MNet, Skype, BitTorrent. There are a bunch more, I know, I just don't follow them that closely. Exeem this week, maybe I do follow them?

They've had some bad bustups, and they've had some victories, and for those in the systems world, and the security world, the progress is quite encouraging. Nothing looks insurmoutable, especially if you've seen the landscape and can see the integration possibilities.

But - and finally we are getting to the BIG BUT - that means whoever these guys are defeating ... is losing! Who is it? Well, it's the music industry. And hollywood.

And here's where it all comes together: ecommerce is going to face a devastating mix of over rich identity and over rich phishers. It'll shift to cash based and nym based, on the back of p2p. But that will shift the battle royale into p2p space, which means the current skirmishes are ... practice runs.

And now we can see why Hollywood is in such a desperate position. If the current battle doesn't see Hollywood go down for the count, that means we are in a world of pain: a troubling future for communication, a poor future for ecommerce, and a pretty stark world for the net. It means we can't beat the phisher.

Which explains why Hollywood and the RIAA have found it so difficult to get support on their fight: everyone who is familiar with Internet security has watched and cheered, not because they like to see someone robbed, but because they know this fight is the future of security.

I like Hollywood films. I've even bought a few kilograms of them. But the notion of losing my identity, losing my ability to trade and losing my ability to communcate securely with the many partners and friends I have over the net fills me with trepidation. I and much of the academic and security world can see the larger picture, even if we can't enunciate it clearly. I'd gladly give up another 10 years of blockbusters if I can trade with safety.

On the scales of Internet security, we have ecommerce on one side and Hollywood on the other. Sorry, guys, you get to take one for the team!

Nym Secure the Centralized Repository of Nyms on the fly allowing all nyms used for commerce to be held in trust with full payment details. Its not enough to hold cash and buy things with in online but use a name one on the fly but sign it with something that makes sense. The Nym Sig Secure will issue cash to payments based on instructions from the nym holder and the reciever of the dosh will only have the Nym Sig Secure Dosh to worry about. Damm the DRM of it all if all the balances are cash they need no other information. Complaints about purchases will be strongly supported because the collective (borg style) will hold sway over vast enterprises of commerce stating quickly and clearly that this merchant is a rip off and why or this product sucks large canine testicles. If Nym Sig Secure can state it has 20 million customers and is considered the nasty enemy of poor commercial offerings then people may flock to its offering.

That's where strong data privacy and data protection laws come into play: as long as agencies and/or people and/or companies only are allowed access to data they need, the collected set of data may not be that bad.

It's a common misconception of citizens of countries like the US or the UK that a National Identity Card is Evil (with a capital E), as is mandatory address registration etc. The main thing is the way this data is going to be used.

You are right that the concept of networked databases is highly dubious, especially with the political climate all over the world being like it is at the moment, but I still believe it's all a matter of controls and checks and balances.

You are correct in that the thinking in Britain and the US is only slowly moving across to the notion of the database as the core issue. But what should then become apparent is that those checks and balances should become the priority. This is obvious to those on the Continent. But, it's not obvious to those in Britain and the US, and to be frank, it wasn't until I attended Hyperion's Digital Identity conference last year that I realised this was a missing link.

I predict the spread of realisation of this flaw beyond the Internet FC and privacy communities will be way way too late. The system will be built without controls, checks and balances. That's the working assumption I am making.

Honestly, I would not be offended in the slightest if somone could prove me wrong!

Ironically, the much-despised TCG (aka TCPA) has the first proposal I've seen for cryptographic anonymity/pseudonymity which actually has a chance at mainstream success. This is Direct Anonymous Attestation (DAA), http://www.zurich.ibm.com/security/daa/, which uses a sort of blind group signature to allow a remote server to verify that a system has a valid Trusted Platform Module (TPM) chip (what Ross Anderson calls a "Fritz" chip). It performs this verification while using crypto anonymity to limit the amount of information that leaks about the user's identity.

Trusted Computing technology also offers a solution for phishing, allowing people to use credentials to access sites rather than passwords, where the credentials are locked using a hardware chip so they can't be stolen by trojans or viruses. Unfortunately all this is years away at best and my guess is that we will have adequate solutions to these problems of phishing and identity theft long before TCG can be deployed on a large enough scale. Of course this delay is due in large part to the efforts of online privacy advocates and conspiracy theorists.

The trusted platform stuff had a fatal flaw as far as I could see. It was only trusted by the suppliers of the platform and their designated agents, not by the nominal owner of the machine. Now, it may be that in a bygone age, this could have been impressed on the consumer; after all this is what a cell phone is, a trusted platform that is trusted by the supplier, not necessarily by the consumer.

But PC consumers have had 2 decades of their own trust being the norm. That makes for a fairly high barrier to cross. That barrier is not insurmountable, but it would have to involve a pretty nice deal for the consumer. The alternate that was offered was a crock: you get to pay for it and we get to charge you for using it.

So it's no surprise it bombed. That's just the laws of economics and the practice of marketing at work there. It would be a complete and utter surprise if it had worked, and would cause us to re-evaluate our notions of the market as one without searching for some sort of value.